Solved: Re: RSA Authentication, switch failing hash of the public key

mauricio2099 · ‎02-14-2022

Hello, I am trying to setup RSA Authentication with a key pair. The key pair is generated in a linux server and then I copy the content of the public one to the switch.
But in the switch configuration the hash of the key is different than the hash in the linux machine.

On the linux:

$ ssh key-gen

$ fold -b -w 72 id_rsa.pub

On the cisco switch 9500

#ip ssh pubkey-chain

#username test

#key-string

# pasted here the fold-output lines (including ssh-rsa and myaccount@domain)
# "Enter"

#exit

I also tried removing "ssh-rsa" and "myaccount@domain" from the string.
I also tried creating the key-pair without passphrase, but got same results.

Also when trying to login from the linux to the switch:
The authenticity of host '100.100.100.100 (100.100.100.100)' can't be established.
RSA key fingerprint is SHA256:5rsaM4cAddResy8K-t5fgPytdLrO435gwysAghVg7c8fI3.
RSA key fingerprint is MD5:31:5b:87:b3:b6:94:03:98:5d:88:5b:3d:34:ff:3c:3f.
Are you sure you want to continue connecting (yes/no)?

This setup is for a service account which lost the ability to authenticate with RADIUS because MFA was implemented. So we have some things broken.

mauricio2099 · ‎04-04-2022

Hello Community,

I ended creating the key-pair with Putty-gen at 2048. Then the key was converted to Open SSH for the monitoring application to accept it the public key was exported to the monitoring server on the proper store.

The public key was copied straight from the putty-gen interface and copied as is on a notepad. Then from the notepad it was added to my script.

conf t
ip ssh pubkey-chain
username SERVICEACCOUNT
key-string
ssh-rsa BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R rsa-key-20220223
exit
end

Also to complete the setup on the switches remove aaa authorization exec if it is enabled.

(config)#no aaa authorization exec default group radius local if-authenticated

Of course switch has to have SSH enabled and also IOS version greater than 12 in order to support the pubkey authentication.

Works on to many catalyst models old and recent.

Regards

View solution in original post

mauricio2099 · ‎04-04-2022

Hello Community,

I ended creating the key-pair with Putty-gen at 2048. Then the key was converted to Open SSH for the monitoring application to accept it the public key was exported to the monitoring server on the proper store.

The public key was copied straight from the putty-gen interface and copied as is on a notepad. Then from the notepad it was added to my script.

conf t
ip ssh pubkey-chain
username SERVICEACCOUNT
key-string
ssh-rsa BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R
+BBAAB3NzaZbw6I46VWAABAAABAQCZbw6I46VWA/EjtpRzqOM/m5grn669eV9piq9vndsfh4R rsa-key-20220223
exit
end

Also to complete the setup on the switches remove aaa authorization exec if it is enabled.

(config)#no aaa authorization exec default group radius local if-authenticated

Of course switch has to have SSH enabled and also IOS version greater than 12 in order to support the pubkey authentication.

Works on to many catalyst models old and recent.

Regards